The MOVEit breach is one of the largest and most widespread cyberattacks of 2023, affecting millions of individuals and hundreds of organizations across various industries. The breach was carried out by a Russian ransomware gang called Cl0p, which exploited a vulnerability in the MOVEit Transfer file transfer tool developed by Progress Software. MOVEit Transfer is a widely used software that allows organizations to securely transfer sensitive files, such as personal data, financial information, health records, etc.
The perpetrators exploited an undiscovered, or “zero-day,” vulnerability (a software flaw unknown to the vendor and therefore unpatched) in the MOVEit file-transfer software, a product that is used by thousands of customers in the United States and beyond. This software is designed to manage confidential information, secure files through encryption and forward them to specified individuals or groups. The hackers exploited SQL injection vulnerabilities in the MOVEit file transfer application, enabling them to alter or delete information by accessing the server database.
The breach was discovered in May 2023, when Progress Software alerted its customers and issued a patch to fix the vulnerability. However, by then, many organizations had already been compromised and had their data stolen. The impact of the breach is still unfolding, as more victims are being identified and more data is being leaked online. The breach poses significant risks to the privacy, security, and reputation of the affected organizations and individuals, as well as potential legal and regulatory consequences.
Some of the confirmed victims of the breach include:
- The U.S. Department of Health and Human Services (HHS), Department of Energy, and other federal agencies
- Retirement systems including the California Public Employees’ Retirement System, and The Tennessee Consolidated Retirement System
- The National Student Clearinghouse, which works with 3,600 colleges and universities and 22,000 high schools
- Leading law firms such as Kirkland & Ellis LLP and K&L Gates LLP
- Major energy corporations including Schneider Electric, Siemens Energy, and Shell
- Universities in the US, including Johns Hopkins, University of Georgia, and UCLA
How to Manage Vendor Risk Amidst the MOVEit Breach
The MOVEit breach is a stark reminder of the importance of managing vendor risk in today’s interconnected world. Vendors are essential partners for many organizations, providing valuable products and services that enable business operations and innovation. However, vendors also introduce potential vulnerabilities and threats to an organization’s data and systems, especially when they handle sensitive information or have access to critical infrastructure.
In light of the MOVEit breach, effective vendor risk management is as important as ever. It is important to assess and continuously monitor your vendors, understanding the impact of the breach on them and mitigating risks that may arise as a result.
The first step in managing this risk is developing a custom assessment to identify:
- The vendors that use or have used an affected version of the MOVEit Transfer in their operations
- In addition to developing custom assessments for our customers to identify vendors using the MOVEit software, we have also devised a few ways (using ThreatScape data) to determine if an organization is or might be using the MOVEit software. We then surveyed our vendor population and notified our clients of who is and/or could be using the MOVEit software, taking a proactive approach to mitigate any additional potential risk arising from the MOVEit breach and ensuring that customers have complete visibility into vendors who may be compromised by the MOVEit breach.
- The impact of the MOVEit breach on the affected vendors. Key considerations include:
- How much data was compromised in the breach
- The type of data compromised (e.g., personal information, financial information, health records, etc.)
- The sensitivity or confidentiality of the data, and how its compromise could affect your organization or your customers
- The remediation efforts taken by affected vendors. Progress Software issued guidance on how to address the vulnerability, including:
- Disable all HTTP and HTTPs traffic to your MOVEit Transfer environment
- Apply the latest patches based on the relevant MOVEIT Transfer version
- Delete unauthorized files and user accounts
- Monitor network, endpoints, and logs for IoCs (Indicators of Compromise)
Based on this information, you can stratify your affected vendors according to their risk level (for example, high-risk, medium-risk, or low-risk). This classification can then guide the development of targeted questions designed to assess and address vulnerabilities linked to the MOVEit breach that might impact your organization.
Remember, assessing your vendors is not a one-off task! It’s important not to rely solely on an initial evaluation of your vendors’ security posture. Instead, establish a process for continuous monitoring that allows you to keep track of risks related to the MOVEit breach over time. Continuous monitoring enables real-time analysis of all your vendors’ externally-facing attack surfaces and vulnerabilities and we are able to identify companies that have been adversely affected by the breach. This approach not only allows for the detection of adverse changes in a vendor’s security posture as they occur but also offers the insights necessary for the prompt resolution of these issues.
How ProcessBolt Can Help
ProcessBolt offers a fully-integrated, AI-driven vendor risk management platform that uniquely enables organizations to assess and continuously monitor their vendor networks.
Complete today to learn how we can help you effectively manage vendor risk amidst the MOVEit breach.